[OpenWrt-Devel] [PATCH] ustream-ssl: add optional mutual authentication (mTLS)

John Crispin john at phrozen.org
Wed Aug 22 05:27:25 EDT 2018 


On 20/08/18 12:39, Nuno Morais wrote:
> For B2B applications, mutual authentication of peers is a requirement.
>
> Add operation to enable / disable peer authentication
> adding a new operation to the ustream_ssl_ops struct
> using "SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT",
> and "MBEDTLS_SSL_VERIFY_REQUIRED".

Hi,
2 nitpicks inline

> Signed-off-by: Nuno Morais <nuno.mcvmorais at gmail.com>
> ---
>   ustream-internal.h |  1 +
>   ustream-mbedtls.c  | 10 ++++++++++
>   ustream-openssl.c  | 12 ++++++++++++
>   ustream-ssl.c      |  1 +
>   ustream-ssl.h      |  2 ++
>   5 files changed, 26 insertions(+)
>
> diff --git a/ustream-internal.h b/ustream-internal.h
> index a8c534f..923e9d2 100644
> --- a/ustream-internal.h
> +++ b/ustream-internal.h
> @@ -41,6 +41,7 @@ struct ustream_ssl_ctx *__ustream_ssl_context_new(bool server);
>   int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx *ctx, const char *file);
>   int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char *file);
>   int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file);
> +int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth);
>   void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx);
>   enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us);
>   int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len);
> diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
> index 347c600..d859a08 100644
> --- a/ustream-mbedtls.c
> +++ b/ustream-mbedtls.c
> @@ -217,6 +217,16 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
>   	return 0;
>   }
>   
> +__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth)
> +{
> +	if(mutual_auth)
missing space betwen if and ( at various places inside the patch.
> +		mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
> +	else
> +		mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
> +
> +	return 0;
> +}
> +
>   __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
>   {
>   #if defined(MBEDTLS_SSL_CACHE_C)
> diff --git a/ustream-openssl.c b/ustream-openssl.c
> index 7c72ce1..585e526 100644
> --- a/ustream-openssl.c
> +++ b/ustream-openssl.c
> @@ -154,6 +154,18 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
>   	return 0;
>   }
>   
> +__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth)
> +{
> +
> +	if(mutual_auth)
> +		SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
unneeded space between (void *) and ctx at various places inside the patch

     John


> +	else
> +		SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_NONE, NULL);
> +
> +	return 0;
> +
> +}
> +
>   __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
>   {
>   	SSL_CTX_free((void *) ctx);
> diff --git a/ustream-ssl.c b/ustream-ssl.c
> index dd0faf9..ad80925 100644
> --- a/ustream-ssl.c
> +++ b/ustream-ssl.c
> @@ -208,6 +208,7 @@ const struct ustream_ssl_ops ustream_ssl_ops = {
>   	.context_set_crt_file = __ustream_ssl_set_crt_file,
>   	.context_set_key_file = __ustream_ssl_set_key_file,
>   	.context_add_ca_crt_file = __ustream_ssl_add_ca_crt_file,
> +	.context_set_mutual_auth = __ustream_ssl_set_mutual_auth,
>   	.context_free = __ustream_ssl_context_free,
>   	.init = _ustream_ssl_init,
>   	.set_peer_cn = _ustream_ssl_set_peer_cn,
> diff --git a/ustream-ssl.h b/ustream-ssl.h
> index 7787788..3eb24ae 100644
> --- a/ustream-ssl.h
> +++ b/ustream-ssl.h
> @@ -52,6 +52,7 @@ struct ustream_ssl_ops {
>   	int (*context_set_crt_file)(struct ustream_ssl_ctx *ctx, const char *file);
>   	int (*context_set_key_file)(struct ustream_ssl_ctx *ctx, const char *file);
>   	int (*context_add_ca_crt_file)(struct ustream_ssl_ctx *ctx, const char *file);
> +	int (*context_set_mutual_auth)(struct ustream_ssl_ctx *ctx, int mutual_auth);
>   	void (*context_free)(struct ustream_ssl_ctx *ctx);
>   
>   	int (*init)(struct ustream_ssl *us, struct ustream *conn, struct ustream_ssl_ctx *ctx, bool server);
> @@ -64,6 +65,7 @@ extern const struct ustream_ssl_ops ustream_ssl_ops;
>   #define ustream_ssl_context_set_crt_file	ustream_ssl_ops.context_set_crt_file
>   #define ustream_ssl_context_set_key_file	ustream_ssl_ops.context_set_key_file
>   #define ustream_ssl_context_add_ca_crt_file	ustream_ssl_ops.context_add_ca_crt_file
> +#define ustream_ssl_context_set_mutual_auth	ustream_ssl_ops.context_set_mutual_auth
>   #define ustream_ssl_context_free		ustream_ssl_ops.context_free
>   #define ustream_ssl_init			ustream_ssl_ops.init
>   #define ustream_ssl_set_peer_cn			ustream_ssl_ops.set_peer_cn


_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list